Being fair about memory safety and performance

I&#x27;m not quite sure who this article is aimed at, and who those &quot;C++ apologists&quot; are, but as someone who programs in C++ all day, doesn&#x27;t like it at all, and yet won&#x27;t advocate to switch to Rust, these kinds of arguments are unconvincing. I&#x27;m not advocating to switch to Rust not because I don&#x27;t think it&#x27;s better than C++. I am absolutely, 100% convinced that Rust is <i>technically</i> better than C++ in most possible ways — in some, significantly better — and worse in almost no way. The problem is that, overall, it&#x27;s not better <i>enough</i>.<p>Reevaluating a low-level programming language is something that&#x27;s done in a large organisation or project once every 15-25 years or so. Switching such a programming language incurs a high cost and a high risk, and is a long-term commitment. To make such a switch, the new language obviously has to be better, but that&#x27;s not enough. It has to be <i>a hell of a lot better</i> (and, if not, at least return the investment with a profit quickly).<p>For some, Rust is better enough. For me, not nearly so. Even though it offers a fascinating and, I think, ingenious path to better safety, it shares some of C++&#x27;s greatest downside <i>for me</i>, which is that they are both <i>extremely</i> complex languages. Maybe Rust is simpler, but not enough. Rust also shares what I think is C++&#x27;s original misguided sin, which is the attempt to create a low level language, whose code appears high-level on the page by means of a lot of implicitness. I&#x27;ve become convinced that that&#x27;s a very, very bad idea.<p>If there were no other ideas on the horizon or if Rust seemed like a surefire success, it might have been justified to make such a switch, but that&#x27;s not the case. Rust&#x27;s low adoption rate in professional settings is not reassuring to &quot;PL-cautious&quot; people like me, and a language like Zig shows that there are other approaches that appeal to me more, and while more revolutionary and ambitious than Rust in its departure from C++&#x27;s philosophy, I think it also has the potential to be better <i>enough</i>. Maybe it will make it, and maybe it inspires some other language that will, or maybe other ideas will turn up. Given the risk and commitment, to me it makes sense to wait. I don&#x27;t like C++; I believe Rust is better. But that&#x27;s not enough.

Totally agree with this article, as a fellow HFT coder.<p>The problem in c++ is the surface where you might cause a memory problem is huge. Once it&#x27;s there, it&#x27;s a lot of work to test the hypotheses about where it is hiding. On top of that, these kinds of issues can escape your instrumentation in a way that other bugs tend not to. Add some debug lines, things get accessed differently -&gt; Heisenbug. Mega pain in the ass to figure out, lots of time taking everything apart, sprinkling debug lines, running long tests to catch that one time it goes wrong in a million, and so on.<p>He&#x27;s also right that the array access thing is not a huge thing, it can&#x27;t possibly be what your decision turns on, and that most of the code doesn&#x27;t have a tradeoff in performance, because it&#x27;s in the config stage rather than the hot path.<p>Personally I&#x27;ve had a great time with Rust, it&#x27;s far more productive than other typed languages I&#x27;ve used. On a business level, the issue with the type of bug mentioned above is it destroys your schedule. I&#x27;ve spent entire weeks looking at that kind of thing, when I was expecting to be moving on with other parts of my project. With my current Rust stuff, I&#x27;m doing what I expect to be doing: addressing some issue that will soon be fixed like adjusting some component to fit a new spec.

This article has a core point which is good: “in Rust the default is safe, and you have to opt-in to unsafety, but in C++ the default is unsafe, and you have to opt-in to safety”. I think it’s easy to argue for Rust using this construction, because, well, that’s the entire point why Rust was created.<p>But, it really doesn’t take a very long post to talk about this. The remainder goes off the rails, talking about “C++ apologists” (hint: if you’re being “fair”, pick words that are unlikely to cause people to be preemptively upset. This is not one of those words) and their stupid opinions. And the author just trashes them as being complete idiots, but it’s obvious that the arguments come from inexperience or strawmen, which just makes the overall thing not particularly convincing. Saying that the various UB finding tools were useless because you tried using them and didn’t get good results is stupid. Being smug about “people who use modern C++ clearly can’t do HFT, which is the thing that you said you were using C++ to do” is also insipid, just because you spotted the use of a shared_ptr somewhere and read how it’s not zero-cost. Modern C++ has other things in it, you know, many of which <i>are</i> zero-cost and significantly (but not entirely) safer; picking one thing and misrepresenting it does not make for a good refutation.<p>Anyways, coming from someone who writes a lot of C++ and would also like a lot of code to be migrated to Rust for good reasons, it’s a good idea to approach the tradeoffs honestly and without disdain for those who aren’t convinced yet. The core argument I mentioned above and the closing part of the article does do this…but there’s a lot in the middle that doesn’t, and it drags down the usefulness of the post.

The substance of the article is overshadowed by its unfortunate tone.<p>&gt; But wait! The C++ apologists are still talking! What are they saying? How have they not been completely flummoxed?<p>is just one small sample. I came out of the article liking Rust a little bit less than when I went in (irrational, I know, but true).<p>The quote from The Big Lebowski comes to mind: you&#x27;re not wrong, author, ...

&gt; I learned that the issue was in framework code – code written by my boss’s boss. The code was untested, and written extremely poorly, and had rotted, so that it didn’t work at all.<p>One unaddressed issue in Rust is that this could easily happen with a crate, and how hard diagnosing it could be, especially due to implicit behavior via procedural and attribute macros. Also, just because your code is safe, there could still be an unsafe block at the end of any long safe call chain. I haven&#x27;t been able to reconcile to myself how this isn&#x27;t just an illusion of overall safety.

Since this is about array indexing, if you do slice.iter.for_each() instead of for-in, while-let or manual indexing then it already uses unchecked access under the hood today because internal iteration can use a counted loop and knows it doesn&#x27;t need those bounds checks.

As for array index checking, Julia gets it right. It uses a pair of macros (@boundscheck and @inbounds), which empowers the user elide bounds checking. Moreover, it is extensible to beyond just arrays. I’ve used these macros in my own hand-rolled implementation of a ring buffer.

&gt; To review, where do Rust and C++, these programming languages with their vastly different philosophies, Rust for the cautious, C++ for the fast and bold, stand? In the exact same place.<p>The author spent 1 page before this statement, and the whole article after it, explaining that this is not true, so the article is a big contradiction.<p>Rust and C++ are not &quot;in the exact same place&quot;.<p>With Rust, you get bound checking by default. If, after profiling, you find that it is a performance problem somewhere, it allows you to elide it safely. In the programs I work on, 99% of the execution time of my program is spent in 1% of the code, and Rust optimizes for this situation. Instead of debugging segmentation faults due to performance optimizations that buy you nothing in 99% of the code, you can spend your time optimizing the 1% that actually makes a difference.<p>This is why Rust libraries are program are &quot;so fast&quot;. Its not because of multi threading, or because rust programmers are geniuses, but rather because Rust buys these programmer time to actually optimize the code that matters, and in particular, do so without introducing new bugs.

Really good article that covers some poor arguments about C++.

There&#x27;s a presumption here that checked access would cost some nr of nanoseconds per access, but this often isn&#x27;t the case since predicted, not-taken branches tend to have 0 cycle latency in recent CPUs.

I’m my view, Rust is a very uninspired kind of safe language. But a point on which I agree with Rust is that array accesses should be checked by default.<p>I think this article ignores some arguments for array bounds checks and it ignores the importance of what the default is:<p>- It doesn’t matter how fast or slow bounds checking is in theory. It only matters how fast it is in practice. In practice, the results are quite surprising. For example, years ago WebKit switched its Vector&lt;&gt; to checking bounds by default with no perf regression, though this did mean having to opt out a handful of the thousands of Vector&lt;&gt; instantiations. Maybe this isn’t true for everyone’s code, but the point is, you should try out bounds checking and see if it really costs you anything rather than worrying about hypothetical nanoseconds.<p>- If you spend X hours optimizing a program, it will on average get Y% faster. If you don’t have bounds checks in your program and your program has any kind of security story, then you will spend Z hours per year fixing security critical OOBs. I believe that if you switch to checking bounds then you will instead get Z hours&#x2F;year of your life back. If you then spend those hours optimizing, then for most code, it’ll take less then a year to gain back whatever perf you lost to bounds checks by doing other kinds of optimizations. Hence, bounds checking is a kind of meta performance optimization because it lets you shift some resources away from security to optimization. Since the time you gain for optimization is a recurring win and the bounds checks are a one time cost, the bounds checks become perf-profitable over time.<p>- It really matters what the language does by default. C++ doesn’t check bounds by default. The most fundamental way of indexing arrays in C++ is via pointers and those don’t do any checks today. The most canonical way of accessing arrays in Rust is with a bounds check. So, I think Rust does encourage programmers to use bounds checking in a way that C++ doesn’t, and that was the right choice.<p>As a C++ apologist my main beef is: if bounds checks are so great then please give them to me in the language that a crapton of code is already written in rather than giving me a goofy new language with a different syntax and other shit I don’t want (like ownership and an anemic concurrency story).

I don&#x27;t know what people mean when they talk about &quot;safe&quot; or &quot;unsafe&quot; code. Doing something like `int a[5]; a[2] = 100;` in C is perfectly safe because there is no bug in that code. The only thing that might be unsafe about that is if you change the code because then you might create a bug. Changing code is always unsafe because you can always create bugs in any language, even Rust.<p>I don&#x27;t think &quot;safe&quot; or &quot;unsafe&quot; can be a property of code; it can only be a property of something you do, like changing code. I think that something being &quot;unsafe&quot; means that there is a risk with doing it. Programming is always a risk, even if you write Rust code without using the &quot;unsafe&quot; keyword. You can even have arbitrary code execution bugs in Rust programs without using the &quot;unsafe&quot; keyword; think about bugs like SQL-injections.<p>All of this doesn&#x27;t mean than I don&#x27;t think the checks that the Rust compiler does help. They probably help many people to write less buggy code. I just think it makes no sense to call code &quot;safe&quot; or &quot;unsafe&quot;.

&gt; Most specifically, gcc and icc are much better compilers for those use cases – empirically – than is LLVM.<p>This is interesting. Where can I read more about this ?

Great article, I&#x27;m bookmarking it so I can point to it if and when required ;p

Read only top half of the article.<p>Would like to add that at least in plain C, doing var[index] doesn&#x27;t invoke any checked() or unchecked() access function call. It&#x27;s rather compiled into assembly instructions to calculate the address where the data is expected and load it into memory in one or two lines.